►
Description
Introduction to DevSecOps with John Willis (Red Hat)
Dec 10, 2019
OpenShift Commons Briefing
A
A
Now
there
was
some
sort
of
prior
art
before
there
was
a
rugged,
my
Josh
Corman
and
a
few
other
people
doing
a
rugged
manifesto
very
similar,
but
this
was
really
the
beginning
of
sort
of
attaching
security
directly
with
you
know,
literally
sort
of
you
know
using
the
name
DevOps,
and
if
you
look,
you
know
we're
going
this
to
detail.
I
hope
that,
as
we
sort
of
you,
know,
sort
of
explore
this
community
opportunity
in
the
seat
open
chef,
Commons
sake,
we
can
explore
a
lot
of
things.
A
We're
gonna
talk
about
in
the
next
ten
or
fifteen
minutes.
I
really
want
to
sort
of
get
the
community
involved,
but
but
the
idea
of
leaning
in
if
you
look
down
they're,
leaning
in
over
or
saying
no
right
like
so
you
know
embracing
lean
ideas
and
sort
of
all
the
things
that
we've
we've
really
sort
of
come
to
know
and
love
and
DevOps,
datus
data
and
security,
science
over
fear,
uncertainty
and
doubt
right,
like
using
sort
of
science.
A
You
know
like
a
lot
of
the
stuff
that
we've
seen
in
DevOps
would
accelerate.
You
know
I'm
using
science
now
to
prove
sort
of
or
to
correlate
our
outcomes
right
so
using
those
same
sort
of
methods
that
we've
enjoyed
in
DevOps,
same
thing,
open
contribution
and
collaboration
over
security.
Only
requirements-
they
you
know,
is
one
of
the
sort
of
issues,
particularly
in
large.
You
know
large
cap
corporations
Fortune
1000
fortune
5000.
A
You
find
that
a
lot
of
these
security
demands
are
so
for
some
sort
of
global
policy
office
or
governance
risk
and
they're
sort
of
sort
of
mandated
by
books
that
people
don't
really
need
see.
So
this
idea
that
we're
really
going
to
sort
of
treat
security
is
just
part
of
this
sort
of
contribution.
Collaboration
that
we've
been
doing
very
reasonably
successful,
I
would
say
very
successful.
In
DevOps,
a
consumer
was
zoomable
security
services
with
api's
over
mandated
security
controls
and
paperwork
right,
you'd
be
alarmed
at
how
many
large
financial
institutions
today
are.
A
You
know
best-case
their
sort
of
policy
guidelines
are
in,
you
know,
spreadsheets
they
massively,
you
know,
I
mean
I
am,
but
you
know
300,
column,
spreadsheets,
and
so
so
yeah
so
sort
of
moving
into
the
this
century.
With
how
we
sort
of
treat
security
very
much
like
we
do.
Everything
and,
more
importantly,
I'll,
be
talking
a
lot
or
one
of
the
conversations
I
really
want
to
explore
in
this
this
sort
of
opportunity.
A
This
SIG
is
the
is
you
know,
policy,
you
know,
governance,
risk
and
compliance,
so
not
just
sort
of
dev
sec,
ops
that
it
plays
at
that
well
and
we'll
get
more
into
that
business.
Driven
security
scores
over
rubber-stamp
security,
so
scorecards
red
and
blue
team
exploit
testing
over
relying
on
scans
or
theoretical
vulnerabilities.
A
This
is
where
you
know,
sort
of
the
incident
or
the
sort
of
preemptive
model
that
we
see
in
some
sort
of
DevOps
or
just
you
know
the
way
people
do
those
scan
libraries
and
feel
like
they're,
safe
or
it'll
just
do
sort
of
incident
resolution
or
post
mortems.
But
this
idea
is
you
actually
start
to
create
sort
of
an
attack
vector
from
internal
like
a
red
team.
A
In
fact,
Shannon
last
time,
I
talked
to
I
think
runs
like
somewhere
in
60
or
70
person,
red
team
at
Intuit
right
there,
like
that,
you
know
that's
crazy,
right,
24
by
7,
proactive
security
monitoring
any
over
reacting
after
being
informed
of
an
incident
right
again
see
being
proactive,
shared
threat,
intelligence.
This
is
really
important.
Shannon
says
this
a
lot
and
that
you
can
tell
already
that
she's
pretty
much
been
my
men
Borana,
we
were
actually
working
on
it.
A
They
have
SEC
ops,
hymnbook,
I'm,
actually
co-author
of
a
DevOps
handbook,
but
but
one
of
the
things
he
talks
about
is
how
intelligent
the
adversaries
are
and
how
equipped
they
are
and
how
they
use
the
tools.
And
so,
when
I'm
presenting
to
a
large
audience
and
and
and
our
last,
you
know,
the
order
is
how
many
people
in
this
room
work
for
a
financial
institution
and
depending
on
the
venue.
Maybe
a
third
of
the
room
will
raise
a
hand
and
I'll
say
well.
A
How
many
of
you
who
have
your
hand
raised
right
now
actually
share
intelligence
and
and
have
some
sort
of
cadence
of
communication
about
the
adversaries
and
every
hand
goes
down
right
and
what
Shannon
likes
to
point
out
and
I
point
out
too
is
the
adversaries
are
very
collaborative
they're,
very
DevOps.
They
are
sharing
information
on
your
institutions
at
a
rapid
rate.
They
have
all
the
tools
that
you
have
so
again.
A
I
think
the
opportunity
here
is
to
to
really
and
I'm
finding
over
the
last
couple
years,
more
companies
that
would
be
less
inclined
to
like
two
or
three
banks
to
to
share
information
effect.
I
work
on
a
project
earlier
this
year,
where
we
had
three
banks
on
an
automated
governance
project
and
I'll,
be
writing
some
more
stuff
about
that.
So
there's
sort
of
a
new
model.
A
A
A
This
is
about
outcomes
right,
so
one
of
the
things
we've
done
really
well
in
DevOps
is
sort
of
started,
moving
and
shifting
to
sort
of
outcome
based
thinking,
you're
thinking
about
DevOps,
metrics,
well,
sort
of
the
same
type
of
thing
like
what
are
sort
of
the
business
metrics
that
we
want
to
drive.
One
of
my
favorite
is
is
proactive
hunting
and
we
talked
about
this
a
little
bit
in
the
manifesto
where
what
you're
sort
of
your
instead
of
just
doing
incident,
resolution
or
sort
of
priam
hunting
like
the
adversaries.
A
You
know
the
people
have
these
red
teams.
You
know
where
they're
their
full-time
job
is
to
attack.
They
are
attackers,
there
are
cyber
securities
or
hackers
basically
and
their
job
is
to
just
constantly
attack
their
own
infrastructure,
and,
along
with
that,
you
start
understanding
the
adversary
patterns
and
then
sort
of
the
around
the
five
up.
You
have
a
continuous
detection
response,
which
is
really
just
saying
that
security
needs
to
have
a
holistic
approach
integrated
with
all
this
sort
of
other
approaches
like
development
operations.
A
And
now
we
talk
about
sre
and
those
things,
but
those
are
the
principles.
So
then
the
question
becomes
why
and
you
know
obviously
I'm
security.
We
must
have
why,
but,
but
what's
the
real,
why?
Right
now
you
know
beyond
sort
of
the
sort
of
headlines
right,
and
so
how
do
we
do
that?
We
start
with
a
headline
the
mark.
Injuries
in
you
know,
famous
VC,
but
famous
for
a
lot
of
other
reasons
in
2011
and
said
software
is
eating
the
world
right,
and
this
has
been
true
right.
A
There's
a
software
explosion
and
really
what's
sort
of
rounding
up
to
be
this
decade,
there's
been
probably
starting.
More
closer
to
like
2007-2008
has
just
been
explosive,
but
when
I
started
really
getting
sort
of
looking
at
DevOps
or
security.
Sorry
security
under
the
lens
of
DevOps
ie.
What
we've
been
calling
to
have
seconds
I
got
to
interact
with
a
lot
of
sort
of
lifetime
security,
white
hat
security
people
people
are
really
really
worried.
A
Not
that,
like
we
could
stop
the
train
like
open
source
and
the
software
extraction
is
that
train
has
left
the
station,
but
that
are
we
paying
attention
to
what
they
would
say.
Software
is
infecting
the
world
right
and
it's
not
a
negative
against
open
source
and
all
the
positive
things
that
are
going
on.
It's
just
an
awareness
opportunity
that
I
started
getting
sort
of
hearing
and
as
I
interview
people,
and
if
you
look
at
sauna
type
as
this
every
year,
they
do
a
software
supply
chain.
A
The
state
of
a
software
supplying
Sharia
record
so
2018
I
documented
some
of
their
findings,
and,
and
so,
if
you
look
at
what
Andreessen
was
saying
into
thought,
this
is
basically
downloads
for
Java
components.
You
know,
and
so
they
look
if,
as
this
report
looked
at,
maybe
Central
right,
which
is
really
most
of
these
sort
of
Java
activity
and
in
2011
there
was
six
billion
dollars,
six
billion
downloads
of
Java
components
and
in
2017
eighty
seven
billion
and
in
fact
the
to
seven.
A
The
2019
report
says
that
the
Java
components
are
hovering
around
one
hundred
and
fifty
billion.
So
this
is
exponential
growth
right
and
and
by
the
way
you
know
from
their
data.
They
say
that
10%
of
the
you
know
all
of
those
sort
of
that
open-source
components
reach
the
Java
components
are
vulnerable,
have
vulnerabilities
in
it.
In
fact,
if
you
look
at
node
or
JavaScript,
basically,
you
have
like
a
50
percent
least
from
their
data
and
in
fact,
to
your
growth.
Note
of
node
is
about
a
hundred
and
nine
st.
A
growth
for
Chavez
81%
and
one
less
yes
from
since
I'm
throwing
numbers
that
yeah
71%
over
the
last
year.
There's
from
the
2019
supply
chain
report,
71%
of
all
incidents
of
reach
incidents
were
related
to
open
source
software.
Again
this
is
an
indictment
open
source
software.
It's
an
indictment
of
how
we
have
to
significantly
change
the
way
we
manage
software
and
software
delivery.
Just
staying
on
the
scare
train
here,
you
know,
I
won't
go
through
all
this.
A
So
just
the
train
keeps
continuing
and
what's
interesting
when
we
talk
about
the
Equifax
breach,
then
that
same
report,
a
year
later,
a
year
after,
like
you
gotta,
remember,
Equifax
for
anybody
was
paying
attention
was
on
CNN.
It
was
basically
on
really
you
couldn't
sort
of
be
a
citizen
of
the
US
and
not
know
that
you
know
you
had
something
happen.
You
might
not
even
have
been
NIT,
but
you
knew
there
was
something
that
happened.
What
Equifax,
but
you
know
the
people
who
manage
software
twelve
months
later
are
still
downloading.
A
Eighty
thousand
copies
of
the
vulnerable
starts
to
date,
already
been
patched
for
a
year
and
again
you
couldn't
use
the
larger
sort
of
megaphone
pronounce
how
dangerous
this
was.
This
was
the
you
know
the
the
way
they
classify
NIST
National
Institute
on
technology
classifies
the
categories
of
vulnerabilities
TVs,
and
this
was
the
highest.
This
was
a
ten.
This
stretched
to
vulnerability.
A
Then
the
Marriot
breaching
and
I
just
you
know,
they're
the
thing
that
was
interesting,
Ameri
pre
same
kind
of
numbers
big
deal,
but
but
that
last
line
the
adversaries
were
in
Mary
for
four
years,
according
to
crow
comm.
Four
years
right,
that's
the
other
thing
is
the
adversaries
are
so
sophisticated.
Now
this
notion
of
a
kill
chain
that
that
they
get
in
and
they're
willing
to
take
in
like
a
long
time.
They
look
at
this.
A
There
was
a
bit
coin-operated
actually
used
the
specific
load
they
spent
a
year
getting
trusted
to
where
they
got
commit
Authority
and
then
once
they
got
commit
Authority
they
put
in
some
malware
inside
of
the
the
module
that
they
knew
the
Bitcoin
opera
and
it
was
able
to
compromise
the
Bitcoin
opera.
I
mean
this.
Is
the
game
right
and
there's
another
great
report
called
the
Verizon
data
breach
investigations
report
and
and
in
2018
this
is
really
scary.
They
said
that
that
87
percent
of
known
compromises
happen,
or
the
compromise
happens
in
less
than
a
minute.
A
It
took
a
minute
couple
of
minutes
or
less
than
a
minute
and
only
three
percent
of
organizations
that
were
compromised,
discover
that
quickly,
right
within
minutes,
where
68%
two-thirds
go
undiscovered
for
months.
Right
again,
these
these
adversaries
are
getting
in
infecting
your
organization
and
and
again
so
deficit
cops
is
a
conversation
to
have
around.
How
do
we
sort
of
catch
up
be
better
at
this,
and
so
how
do
we
do
this?
So
probably
a
first
principle
would
be
thinking
about
security
as
part
of
the
classic.
A
You
know
sort
of
delivery,
see
I
CDs
supply
chain,
continuous
delivery.
This
was
a
2006
agile
conference
slide.
That
was
that
was
used
to
describe
this
sort
of
what
imagine
2006
about
this
idea
that
you
build
sort
of
these
gates
into
your
software
different
delivery.
So
you
you
check
in
some
code
and
it's
like
green
green,
green
red,
go
back
fix
it,
Green,
Green,
Green,
Green,
Green,
red
go
back,
and
so
over
time
you
create
this
resilience,
so
the
idea
of
putting
sort
of
a
security
abstraction
alongside
it.
A
So
we
talked
about
shift
left,
so
how
about
shift
left
security
as
well?
And
so,
if
you
look
at,
you
know
like
we,
you
know
I
just
pick
some
products
I
real.
These
are
not
really
recommendations.
I
just
wanted
to
make
the
point
that
when
we
talk
about
sort
of
DevOps
in
a
supply
chain,
we
typically
have
products
in
each
one
of
if
we
have
many
products,
but
I
just
want
to
keep
it
simple
in
each
one
of
these
sort
of
stages
of
the
pipeline
right.
So
you
know
the
the
notion
of
shift
left.
A
Is
you
have
things
sort
of
there's
always
something
in
the
left
to
sort
of
use,
to
sort
of
automate
or
sort
of
you
know?
Sort
of
you
know
build
in
that
automation
or
correction
or
detection,
right
and,
and
so
but
insecurity
you
know
is.
This
is
probably
early
as
2018
and
or
2017
like
a
lot
of
shops
are
sort
of
disjointed
here.
They
don't.
A
You
know
they
have
pockets
of
security
in
the
pipeline,
but
they
don't
think
of
it
as
a
holistic
view
like
we
can
DevOps
today,
we
we
look
at
the
stages
and
we
were
pretty
comprehensive
about,
like
filling
in
all
the
gaps
of
a
pipeline
for
software,
but
we're
still
a
lot
of
organizations
really
don't
think
of
the
security
there's
sort
of
bolt
on
well,
you
must
have
vulnerability
scanning.
You
must
have
this,
but
there
isn't
sort
of
and
again
def
sec
ops.
Is
this
opportunity
to
sort
of
think
about?
A
You
know
your
classic
sort
of
automated
pen,
testing
security
monitoring,
runtime
configuration
particularly
runtime
configuration
the
containers,
all
those
good
things
and
then
also
one
of
the
areas
that
I've
been
really
interested
in
is
you
know.
Obviously
dev
SEC
OPS's
applies
to
the
supply
chain.
I
think
we're
getting
pretty
mature
at
a
pretty
fast
pace.
You
know
an
open
shift.
We've
got,
we've
done
some
great
things
there
and
I
want
to
keep
exploring
what
more
we
can
do.
You
know
for
sort
of
dev
soccer
purposes.
A
It
applies
to
openshift,
but
the
area
that
I'm
really
been
interested
in
over
the
last
years
is
sort
of
what
I'm
sort
of
loosely
calling
cloud
native
GRC.
The
GRC
is
standing
for
governance,
risk
and
compliance
right
and
or
or
this
notion
of
automated
governance
right,
and
so
this
idea
that
a
lot
of
what
we
do.
You
know
a
lot
of
part
of
our
sort
of
policy
are
sort
of
governance.
Our
risk
and
compliance
comes
down
to
sort
of
policy
that
gets
implemented,
and
then
we
do.
A
A
Maybe
in
our
change
of
Iser
eboard
or
an
approver,
looks
at
it
and
then
you
know
says
well
I
think
you
need
to
explain
this
a
little
more,
it's
kind
of
actually
silly
at
that
point,
because
these
are
complex
systems.
We're
dealing
with
and
humans
actually
can
actually
comprehend
the
complexity
of
the
changes.
But
but
we
we
sort
of
build
this
telephone
game
of
you
know,
then
somebody
from
production
basically
says
well.
I'll
approve
this.
You
know
what's
your
backup
plan
and
then
what
is
the
order
to
do
the
order?
A
A
It's
mathematics
and
they
don't
really
have
to
sort
of
ask
a
whole
lot
of
questions.
It's
two
different
people
about
Bob.
Why
did
you
say
this?
Can
you
show
me
the
screen
print
right
so
that
this
is
a
really
exciting
area
and
and
we've
I
worked
on
an
e-book
with
a
bunch
of
large
organizations,
it's
published
so
I'll.
Be
writing
something
up
about
that
as
well
and
then,
finally,
just
you
know,
I
think
it's
the
kitchen
sink
right.
A
We're
gonna
call
it
dev
sec
ops,
because
that's
a
good
sort
of
placeholder,
but
we
don't
need
to
really
argue
about
the
name
that
that's
been
done
over.
So
really,
let's
talk
about.
Like
sort
of
you
know,
first
principles
as
I
described
automated
governance
or
cloud
native
and
governance
and
policy,
and
how
do
those
two
fit
and
then
really
sort
of
kitchen
sink:
zero
trust,
adversary,
analysis,
incredible
opportunities
here
to
sort
of
understand
collaborate
on
sort
of
adversaries
who
they
are,
how
they
get
in.
A
You
know,
there's
a
Shannon,
oh
you
know
again,
you
can
tell
I'm
a
big
fan
of
Shannon
leads,
but
but
like
she
talks
about
having
retail,
you
know,
metrics
for
her
step.
Second,
ops
cause
like
adversary
retention
rates,
watching
how
often
they
come
identifying
who
they
are,
which
is
incredibly
interesting,
but
then
also
identifying
how
long
they
come
to
site
and
how
long
they
stay,
and
if
you're
doing
techniques
and
putting
like
shift
left
criteria
in
are
they
staying
last
and
going
somewhere
else.
Data
science
lets
science,
the
heck
out
of
this.
A
You
know
not
not
just
sort
of
again
I
I,
don't
seem
to
make
I,
don't
want
to
make
fun
of
data
science
or
ml
RDL.
I
mean
there's
great
stuff
there,
but
but
like
where
it
gets
really
interesting
to
me
is
when
you're
doing
sort
of
ML
machine
learning
to
actually
identify
who
an
adversary
is
because
you're
pulling
data
from
all
these
different
places.
That
gets
really
interesting
data
operations.
A
You
know
we
treated
like
the
whole
movement
of
data
ops
so
like
the
whole
objective
attestation
model,
and
then
you
know
so,
the
other
thing
I
think
is
really
interesting,
which
is
I,
touched
on
a
little
bit
earlier
about
sort
of
designing
requirements
or
sort
of
security
in
ideation.
You
know
right,
like
we
talked
a
lot
about
sort
of
commit
to
production,
but
like
how
do
we
sort
of
even
move
left
of
that
so
great
conversations
there?
So
anyway,
a
couple
of
resources
we're
going
to
have
the
the
Commons
open
shift?
A
Sig,
you
know
that's
a
dev
sec,
ops
at
HTML,
basically
the
commons
overshift
org,
and
then
we've
set
up
a
google
group
as
well
to
have
discussions
so
looking
forward
to
sort
of
launching
this
off
and
then
I
just
want
to.
Thank
you.
My
name
is
John
Willis
again
and
I'm
Red
Hat
and
poet
too.
Just
for
sharing
knowledge
in
this.
If
you're
all
are
up
to
it.
Thanks.